2105 posts • joined 31 May 2011
Re: Clarity Needed
For most retail establishments, security guard = loss prevention employee. In all cases, the loss prevention aspect comes first. If you want to identify one of these plain-clothes store detective types, get a few friends to go to a store with you, grab a random assortment of merchandise and wander toward the exit chanting "Shrinkage! Shrinkage!"
Everything was just peachy, then it went pear shaped and now it's just the pits.
Sorry! It was just there! ...which is likely to be this guy's defense, too.
Re: Impressive consequences
Like finding a trout in your milk.
You've had that happen too? Good to know I'm not alone after all.
Low hanging fruit
The kind of data held by universities (student records/intellectual property) is a valuable commodity for cyber criminals, so it is crucial that the security and education sectors work together to protect it.
It might also be that schools have notoriously bad security practices and IT staff more underpaid than in other sectors, possibly not having any dedicated to security. Many educators are uninterested in working with security because it "gets in their way". I wouldn't expect this to change any time soon.
Re: And we can avoid...
We need to hold people accountable but if you make penalties for even slight infractions truly Draconian, people just won't report problems.
If we follow the original spirit of the term "Draconian", compliance will be achieved relatively quickly by the survivors. While your point about the harshness of the penalty needing to fit the infraction, it does help to take a cue from Draco and make sure that expected behavior is stated explicitly and prominently so there is no possible defense of ignorance. Training always needs to come first and only after should it be followed by enforcement.
Everything old is new again
Gone are the days when the only IT kit our staff used was phones, printers, scanners, desktop PCs, and servers that were bought, configured, installed, and maintained by our IT team.
If you can get your organization to accept that just these items are to be handled by IT staff, you're ahead of the game. Mostly, this article says that there should be the same standards put in place for the new stuff as the old. This might end up being a curse for many locations as they don't have the older tech under control yet, much less have bandwidth for the new.
Re: GCHQ IC Enterprises Bods Ringing NSA Belles and Pleasure Robots
OK, throw me a bone here. I went through this post and removed all lower case letters and it still doesn't make sense. Anagram solvers simply buckled under the load. What could I be missing?
Re: How come they can't learn bash, perl ?
Well that's pretty obvious....
Yeah, because there's all this stuff that couldn't be added into the existing command line interface and run from batch files. We definitely needed a new interface and it really needed to be completely object-oriented. What will they do next? Change the OS GUI? Replace MS Office menus with something completely different that requires everyone to relearn the product from scratch? Change the OS GUI again? The mind boggles!
Don't do financial stuff on the Internet.
Your concerns seem at odds with reality. In as much as there is a way to handle security in any realm, it is hard to argue that it is worse online than IRL. While it is worth calling out companies, applications and web sites that get it wrong, the fact that there is scrutiny on them is more than you get out of physical access to money these days. Ever hear of card skimmers? Hacking ATMs? Perhaps you ought to just hide your money under your mattress or may switch entirely back to barter until the monetary Wild West is sorted.
McAfee True Key is not an AV product. At no point in the article is one mentioned directly. The only indirect reference to one might be the bit that says "...any other McAfee signed binary can be used to exploit the vulnerability as long as the binary depends on a DLL outside the list of known DLLs."
Re: Problem-solution dichotomy
I'm a bit hazy on why one would want to drive off with a Tesla. What, exactly, does one plan to do with it?
Sell it for parts, especially the battery. Given the speed at which Tesla doesn't provide service or replacement parts, the various bits you can pull out of a functioning car are going to be worth more than the car itself and have a lot lower chance of getting potential thieves caught.
Re: Keep Calm and Carry On
My tea cosy is far superior. It protects my head from frost, Check! mind control rays Noted!* and physical damage, due to being padded. Good! Plus I can use it to keep my tea warm. All at the same time? Impressive!
* Someone will be there to chat shortly.
Shoot me now. Please, someone.
With my IoT wireless connected smart gun?
Re: The S in IoT stands for security
Well, you can do the VLAN/firewall stuff.... But Joe & Jane Public?
This! This is the heart of the problem with IoT. If only there were an easy to set up and use management system to secure and control all a home's IoT crap... Wouldn't take much technical expertise with a touch of scare tactic marketing to get a business up and running.
Missing the Point
The standards body said using encryption to enforce access control provides better security than software-based solutions, and a given data set can be protected by one encryption attribute, making it efficient.
Security of any type that depends on just one thing is less secure by design that having multiple layers of defense. The statement above implies that access control should be done away with in favor of using encryption-based schemes. I don't know if this is taken out of context or what, but it doesn't strike me as more than replacing one set of issues and vulnerabilities with another with additional spin up time to learn and apply the replacement system thrown in (because every new technology is rolled out without a hitch and works just as intended when finally in place).
If this can function in conjunction with existing security schema, it's probably a good thing. If not, I wouldn't want to be the one implementing it.
Re: Forget the geeky stuff, sort out the user experience.
VLC has the same problem - I just want a big pause/play button.
Try the space bar - it's the biggest button on the keyboard!
Re: I don't get it.
Am I missing the point about banning Pro Iranian?
I think yes. As stated, the bans result not from the content so much as the combination of content and the attempt to cover up its origins. My understanding is that if an individual or group posts their political views, that's fine as long as they are transparent as to who they are. If, on the other hand, they establish a series of fake accounts to create the impression that the account holders are someone else and then post those same political views the accounts would fall afoul of this new set of rules.
This is not to say that FB don't have their own political agenda to push or that we should have confidence in what is posted on that platform or in FB's ability to actually be effective in this, but they are giving it a stab.
Re: Don't feed the penguins. They're doing fine without your MSguided help.
I'm of the opinion, that if you start to feed penguins with Mad Sheep, then the penguins are at a greater risk of contracting the diseases that they had so far been immune to.
In this case, it's more a matter of feeding the penguins to the mad sheep. I am more concerned with this opening up new exploits to the Windows systems it runs on than the other way around.
That may not be the correct word...
An overzealous Apple fanboy ... plead guilty ... after he allegedly cracked the Cupertino giant's systems ....
I think we have moved on from allegedly to admittedly.
Re: New El Reg UoM?
Inches? Miles? Might I suggest you have a look here
I was aware of the page, but it would not run properly on my work machine. This theoretical stack of cards would soar into the skies a whopping 403 Brontosaurus lengths. Just picture 403 of these late Jurassic giants end to end and then imagine them floating snout to tail tip straight up* and you will be rewarded with a dubiously accurate image of this posited assemblage.
* You might want to imagine a sturdy umbrella or similar protection (see icon) because at least one of the beasts is going to go and from that height... well, let's leave it there.
New El Reg UoM?
I wonder what that equates to in terms of height of a stack of punch cards....
Wonder no more! A punch card can hold about 80 characters or 10 bytes. This means 500MB would take about 5e7 cards. There are about 143 cards to the inch. Stacking them in a continuous column climbs up 349,650 inches or around five and a half miles. YMMV (literally) depending on data storage format on the cards, rounding errors and other assumptions made above, and the amount of caffeine consumed immediately prior to digging this up.
Is El Reg uncommon in being a technology news site which is pretty uniformly pessimistic about technology? And is that conservatism, cynicism or realism?
A little of Column A. A little of Column B.
spelt - past and past participle of spell
Depends on which side of pond you live. If you use "spelt" as such, then "gotten" probably grates on your nerves.
I don't think that means what you think it means
The security of our customers is our top priority...
Nope. This is merely the mantra that corporate droids repeat over and over in hopes that they will be believed. Publicly demonstrating that you wish to discourage research into any of your security products indicates the opposite of it being important to you. If you are actively undermining something, you cannot accurately claim to be supporting it too.
Re: Where To??
Even if you did want to move black hat where would you send it to?
Any number of small, island nations would love to host, would be affordable and already have the kind of environment that would make for a good fit due to their banking sector. Not naming any names, just throwing that out there.
Re: There is so much to be wary of here . . .
Once I got to the point where the name of the app was given (Voatz), my mind just shut off. Seriously? This is what we are trusting with our democracy?
Past time to leave
Our tipster suggested the move is part of a Machiavellian plan to encourage its top workers to leave in order to reduce redundancy payments [Ed: shouldn't Symantec be encouraging its top performers to stay?
From a beancounter point of view, no difference - a worker is a worker is a worker. They're interchangeable, you see. Besides, there will be plenty of time to train up the new crop once the profitability boost of this round of non-firings wears off.
Mine's the one with a buzzword-laden copy of my resume in the pocket.
Re: Last time I checked Spain was in Europe...
I always found the term African-American a bit weird to begin with, it's not like the white americans are referred to as "European-American" or "Caucasian-American" after all.
While I agree with the sentiment, I've heard both and more. Actually, I find the concept of race a bit weird. It's arbitrary and applied inconsistently. At best, it is a shortcut to assessing cultural affinity. At worst... let's not get into that. Perhaps one day we will have the additional classification of Android-American added to the list. That will come with a bit of a culture shift but not, I would guess, without the bigotry traditionally directed toward any new class or group.
Re: A next step?
...a deeper drill-down into the age, gender, race, geographical location and probably many other attributes of the people who responded: either positively or negatively would be illuminating.
From the paper:
"To that end, we sampled public commentary on three online videos – depicting Bina48, Nadine, and Yangyang – available via YouTube."
It is not possible to gather that data based on comments posted to YouTube, but the study authors address this and other issues in the "Limitations & Avenues for Future Research" section of the paper which notes that it is simply meant to be the start to a broader line of research. I thought it was a well written piece of work, for what it is worth. It even includes links to the videos in case you would like to check them out yourself.
Don't be a Dick
I've worked volunteer security at an annual convention for a number of years (I have odd hobbies) and have had to deal with a number of situations at least one of which have ended up on YouTube. Deescalation has worked in all cases I have been involved with... so far. We have a paid police presence if that doesn't work.
There will always be people in any group who push the limits for one reason or another. If you say this is a hard limit, they will see how close they can come to the line without going over it - because they didn't break any rules, they feel they haven't done anything wrong even though they had malicious intent. I do not have any compunction about ejecting someone of this nature. This sort of things is covered in our stated rules, too. One year, we even had a slogan up that said the number one rule was "Don't be a Dick". Of course there was one guy who had to test that and showed up dressed as a giant penis...
Re: It's obvious..
...it's a C4 commercial break
It's 2 milliseconds long... It's a blipvert! Don't decode that signal!
Re: ICANN created the problem
...ICANN (subsequently): Jeez, what a horrible mess. Who could have imagined that new gTLDs would create problems? Why did no one warn us of this?
You left off the part where ICANN go on to repeat the same mistakes over and over again because really, why should they care?
Re: ...citing the Windrush scandal as justification.
My swingometer that gauges whether the government does things more out of malice or incompetence oscillates daily...
Never ascribe to malice what incompetence will adequately explain. There might be malice mixed in, but it's incompetence that gets the job done.
Re: Security *And* Protectionism
This is not new behavior and it is not the whole process. The US government has long taken a prescriptive approach in terms of approving software. There are a variety of lists in fact, from the level this article addresses to the various departments and agencies that make up the government. Each entity reviews each piece of software (including the specific version of each) and creates an approved list that can be used on their systems. At least this is what they are supposed to do - YMMV. This new directive can be best viewed as an additional filter among several already in place.
More telling to me is the statement from the article concerning China and Russia trying to "invest" in American (and I am sure other countries') software companies. There may be perfectly legitimate reasons for making these acquisitions through shell companies and using other methods to obfuscate involvement but that does not mean that the US military should assume the activity is benign.
Not properly House trained
The simplest explanation is that since the focus is on catching crims, the training data was mostly or completely composed of mugshots. This is based on the high false-positive rate that matches the incarceration rate in the US. Nothing like building in a self-perpetuating bias.
I don't think that word means what you think it means
I am quite sure I don't understand all of this, but perhaps someone could fill me in. A Spectre gadget as it is not particularly well-defined in the article or at least I was a bit thrown off. It isn't one of the gadgets in the "billions of computers, gadgets, and gizmos at some degree of risk". Does it amount to any code in any remote API that can be abused to exfiltrate data using this method? If so, I would think that identifying them might be accomplished by defining normal, expected calls on each API and monitoring for any that fall outside that set, essentially what most whitelisting apps do during tuning. Easier said than done, I am sure, but perhaps a way to catch things that code review might miss.
Re: I had to laugh
Small business networks will be the most vulnerable, not least because the boss will just buy and connect this crap without talking to their (external) IT people.
You say most, but I work in an understaffed enterprise environment (the default setting for enterprise environments). I am in the midst of implementing a set of network inventory tools and am uncovering so much stuff that no-one at the home office was aware much less managed, tracked or configured. Despite having implemented a variety of security restrictions on our wired and wireless networks, our local admins put all sorts of stuff on our networks because someone at their site went out and bought it. Same deal for software. The best thing about the situation is that I just have to turn the data over to someone else to take action. I do not believe my situation is in any way unique.
Two reasons I can think for all these IoT devices. First, it's a fad and manufacturers are afraid that if they don't include the latest and greatest, they won't be able to move their wares even if they implement it in much the same way as slapping a different color paint on it all. In fact, it wouldn't surprise me if we some day soon have IoT paint.
Second, the idea that all this stuff can provide a real, automated household is an interesting and compelling dream. The problem is that there is no way to hold it all together without building it yourself. Most people want to get in their cars, turn the key and go. What they don't want to do is have to build it from scraps and spend all their time maintaining it. We haven't got a Henry Ford of IoT yet. We don't even have a Karl Benz.
Re: Try out the UI
Install Windows 2000 and try to complete a relatively complex task whilst timing it. For example renaming a small music collection. Now try the same task with Windows 10 or Gnome 3 / KDE.
All about the same. Used command line and not some newfangled GUI thing.
Re: "poutine up the cash?"
...there is someone at El Reg whose entire job is just to come up with the worst puns ever. That person needs to be taken out behind the pub and slapped...
You do whatever you want, but I'll buy them a round or two for the same reason. Maybe between us we will make that person happy.
Re: What is a moon ?
The IAU definition of planet works fine for purposes of of some scientific fields but not for others and that is its weakness. It is of an ad hoc nature and lacks general utility. Much better would be to pare down the definition to something along the lines of "a planet is a non-stellar object orbiting a stellar object" and then work on classification of the different types of planets much in the way that stellar objects have been.
Even more telling, there is no IAU definition of moon.
Re: There's something wrong with social media
Maybe 500 words. If you can't put together a well discussed argument then stick to shouting in the road.
With 140 words, give or take, you can put together a sonnet. Then again, the internet has thoroughly disproved the infinite monkey theorem, so that really doesn't offer much hope... Perhaps a platform that forces people to post in verse might be worth a shot just the same.
Re: Uh, no.
People who worked on the Manhattan Project back in the 1940, doing things in a hurry without modern Elf and Safety rules got Pu in cuts and grazes, inhaled and ingested Pu particles etc. and they were mostly OK decades later.
The US government has a long history of saying everything is fine concerning health issues (https://www.ncbi.nlm.nih.gov/pubmed/9314220) and decades later admitting it was slightly less so (https://www.nytimes.com/2000/01/29/us/us-acknowledges-radiation-killed-weapons-workers.html). The examples happen to be pertinent to the subject at hand, but are definitely not isolated.
Re: Unfortunately there are only so many pet rabbits one can hunt and eat in Surbiton.
That still leaves a variety of other protein on the hoof or wing (roof rabbit, squab and various other CMOT Dibbler meatonnastick delicacies). You aren't really hungry if you aren't willing to eat it.
The article left out some arguably important information. How many hackers earned a piece of that $11.7m pie? How many folks are able to make a living from this kind of work? How many are just earning a little extra on the side? It's certainly good news that this bit of the economy is growing, but is it made up of a bunch of part-timers or well-paid workers? We have a good idea of who the customers are but not of the providers.
Which workers were winning welcome wages?
What already went wrong?
Usually when you see a story like this, it is in reaction to something having gone wrong. Massive changes were put into place post-Snowden. Similarly, others were implemented after different breaches and attempted breaches occurred. The DoD does not have a great record when it comes to proactively addressing threats of this nature, so it makes me wonder what happened and how much of it will we find out about.
Re: @ James 51
"Because you think that Apple, Google, Microsoft and Uber are paying their fair share of tax ?"
Actually no, the law says they are.
Seems to me you two are talking past each other. There is a consistent difference between legal and fair and this is just one example among many. But don't be deluded for one moment into thinking that if corporations that currently employ these very well known legal loopholes to dodge taxes were suddenly forced or enticed to pay their "fair share" that the money would go anywhere near school systems. It would go straight to the interests of the politicians who are currently protecting their corporate buddies.
Look how the tobacco settlement played out in the US. It was sold to the public as restitution for past wrongs to be applied to victims past, present and future but most of the money went to the general fund. The on-shoring taxes is not even being played as anything other than a way to bring money into the US as a whole, but it really means it will go to those better connected than others. I lay odds that a significant portion would be returned in one way or another to those being "taxed" in such a fashion.
Re: Is it legitimate to ask
On the one hand even our modern advances only highlight just how stupendously amazing the natural world is... On the other, one can argue that our endeavours have been going on for just under 100 years...
And on the gripping hand, maybe we have been using the wrong tools to go about this. This seems to be a bit like using a claw hammer as a screw driver. While it may eventually get the job done, it's not really intended for that use. I hate to throw out buzzwords, but since the calculations for this sort of work go up exponentially as the simulations become more complex, wouldn't leasing some quantum computing time make sense for this kind of work? Isn't this the sort of scenario quantum computing is being pitched for?
Re: A long, long time ago
Shouldn't that be "shot", past tense?
Possibly both. Language doesn't work well with these time scales. What is being observed today took place long in the past, but at the core of the quasar is a black hole that is still in existence today. If there is any gas around for it to play with, then it probably is still blowing plasma like there's no tomorrow... but maybe it took up knitting instead. It is getting quite up there in age after all.
Simply blocking ports 445, 137 and 138 using a firewall would help.
Help, maybe, but that should be done anyway for your network perimeter and doesn't do much good for local network use given what those ports are used for. Once this thing gets past the hard outer shell of a network, it will be able to feast on the soft parts unimpeded. As the implementation allows it to spread to air-gapped systems (per the article), I wouldn't think concentrating on perimeter security is going to do too much good.